Gitiles
Code Review Sign In
gerrit.opencord.org / ansible / role / netprep / 7e6abe0f633fa3f1dc8843bef8c83bdffd05a674 / . / templates / nftables.conf.j2
blob: c66cc9f0a2a1a915a2bc346d2c42e69fef654266 [file] [log] [blame]
Zack Williamse695dea2020-11-19 17:17:40 -0700[diff] [blame]1#!/usr/sbin/nft -f
2{#
3SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
4SPDX-License-Identifier: Apache-2.0
5#}
6
7flush ruleset
8
9# Primary rules
10table inet filter {
Zack Williams71e48922020-12-09 13:23:54 -0700[diff] [blame]11 chain input {
Wei-Yu Chen6509d742021-07-29 21:14:51 +0800[diff] [blame]12 type filter hook input priority 0; policy drop;
13
14 # The basic rules to accept ICMP and established connection
15 iif "lo" accept
16 ip protocol icmp accept
17 ct state established,related accept
18 ct state invalid drop
19
20 {% if "services" in netprep_nftables %}
21 ## The service present on this server
22 {% for item in netprep_nftables["services"] %}
23 # For service {{ item["name"] }}
Zack Williams90ad6842021-09-14 15:06:45 -0700[diff] [blame]24 iif "{{ netprep_nftables["internal_if"] }}" {{ item["protocol"] }} dport {{ item["port"]}} accept
Wei-Yu Chen6509d742021-07-29 21:14:51 +0800[diff] [blame]25 {% endfor %}
26 {% endif %}
27
28 # Allow SSH on all interfaces
29 tcp dport ssh accept
Wei-Yu Chen7e6abe02021-09-28 10:14:00 +0800[diff] [blame^]30 # Allow IPsec ports on external interface
31 iif "{{ netprep_nftables["external_if"] }}" udp dport 500 accept
32 iif "{{ netprep_nftables["external_if"] }}" udp dport 4500 accept
Wei-Yu Chen6509d742021-07-29 21:14:51 +0800[diff] [blame]33
Wei-Yu Chene5fb4772021-09-09 14:41:07 +0800[diff] [blame]34 {% if "interface_subnets" in netprep_nftables %}
Wei-Yu Chen6509d742021-07-29 21:14:51 +0800[diff] [blame]35 # The ingress traffic restriction of internal networks
Wei-Yu Chene5fb4772021-09-09 14:41:07 +0800[diff] [blame]36 {% for interface in netprep_nftables["interface_subnets"] %}
37 {% for item in netprep_nftables["interface_subnets"][interface] %}
38 iif "{{ interface }}" ip saddr {{ item }} accept
39 {% endfor %}
Wei-Yu Chen6509d742021-07-29 21:14:51 +0800[diff] [blame]40 {% endfor %}
41 {% endif %}
Zack Williams71e48922020-12-09 13:23:54 -0700[diff] [blame]42 }
43 chain forward {
Wei-Yu Chen6509d742021-07-29 21:14:51 +0800[diff] [blame]44 type filter hook forward priority 0; policy accept;
Zack Williams71e48922020-12-09 13:23:54 -0700[diff] [blame]45 }
46 chain output {
Wei-Yu Chen6509d742021-07-29 21:14:51 +0800[diff] [blame]47 type filter hook output priority 0; policy accept;
Zack Williams71e48922020-12-09 13:23:54 -0700[diff] [blame]48 }
Zack Williamse695dea2020-11-19 17:17:40 -0700[diff] [blame]49}
50
51# NAT
52table ip nat {
Zack Williams71e48922020-12-09 13:23:54 -0700[diff] [blame]53 chain prerouting {
54 type nat hook prerouting priority -100;
55 }
Zack Williamse695dea2020-11-19 17:17:40 -0700[diff] [blame]56
Zack Williams71e48922020-12-09 13:23:54 -0700[diff] [blame]57 chain postrouting {
58 type nat hook postrouting priority 100;
Zack Williams90ad6842021-09-14 15:06:45 -0700[diff] [blame]59 oifname "{{ netprep_nftables["external_if"] }}" masquerade;
Wei-Yu Chen7e6abe02021-09-28 10:14:00 +0800[diff] [blame^]60
61 {% if "ue_routing" in netprep_nftables -%}
62 {%- for src_subnet in netprep_nftables["ue_routing"]["src_subnets"] -%}
63 {%- for ue_subnet in netprep_nftables["ue_routing"]["ue_subnets"] %}
Wei-Yu Chen6509d742021-07-29 21:14:51 +0800[diff] [blame]64 ip saddr {{ src_subnet }} ip daddr {{ ue_subnet }} counter snat to {{ netprep_nftables["ue_routing"]["snat_addr"] }};
65 {% endfor %}
66 {% endfor %}
Wei-Yu Chen7e6abe02021-09-28 10:14:00 +0800[diff] [blame^]67 {% endif %}
Wei-Yu Chen6509d742021-07-29 21:14:51 +0800[diff] [blame]68
Wei-Yu Chen7e6abe02021-09-28 10:14:00 +0800[diff] [blame^]69 {% if "acc_routing" in netprep_nftables -%}
70 {%- for src_subnet in netprep_nftables["acc_routing"]["src_subnets"] -%}
71 {%- for acc_subnet in netprep_nftables["acc_routing"]["acc_subnets"] %}
72 ip saddr {{ src_subnet }} ip daddr {{ acc_subnet }} counter snat to {{ netprep_nftables["acc_routing"]["snat_addr"] }};
73 {% endfor %}
74 {% endfor %}
Wei-Yu Chen6509d742021-07-29 21:14:51 +0800[diff] [blame]75 {% endif %}
Zack Williams71e48922020-12-09 13:23:54 -0700[diff] [blame]76 }
Zack Williamse695dea2020-11-19 17:17:40 -0700[diff] [blame]77}